{"id":"https://openalex.org/W4388886678","doi":"https://doi.org/10.1145/3605764.3623915","title":"Broken Promises: Measuring Confounding Effects in Learning-based Vulnerability Discovery","display_name":"Broken Promises: Measuring Confounding Effects in Learning-based Vulnerability Discovery","publication_year":2023,"publication_date":"2023-11-21","ids":{"openalex":"https://openalex.org/W4388886678","doi":"https://doi.org/10.1145/3605764.3623915"},"language":"en","primary_location":{"id":"doi:10.1145/3605764.3623915","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3605764.3623915","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3605764.3623915","source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 16th ACM Workshop on Artificial Intelligence and Security","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://dl.acm.org/doi/pdf/10.1145/3605764.3623915","any_repository_has_fulltext":null},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5092446289","display_name":"Erik Imgrund","orcid":"https://orcid.org/0009-0003-2854-6419"},"institutions":[],"countries":[],"is_corresponding":true,"raw_author_name":"Erik Imgrund","raw_affiliation_strings":["SAP Security Research, Karlsruhe, Germany"],"raw_orcid":"https://orcid.org/0009-0003-2854-6419","affiliations":[{"raw_affiliation_string":"SAP Security Research, Karlsruhe, Germany","institution_ids":[]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5083594920","display_name":"Tom Ganz","orcid":"https://orcid.org/0000-0002-4337-4390"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Tom Ganz","raw_affiliation_strings":["SAP Security Research, Karlsruhe, Germany"],"raw_orcid":"https://orcid.org/0000-0002-4337-4390","affiliations":[{"raw_affiliation_string":"SAP Security Research, Karlsruhe, Germany","institution_ids":[]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5026679042","display_name":"Martin H\u00e4rterich","orcid":"https://orcid.org/0000-0002-8349-5912"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Martin H\u00e4rterich","raw_affiliation_strings":["SAP Security Research, Karlsruhe, Germany"],"raw_orcid":"https://orcid.org/0000-0002-8349-5912","affiliations":[{"raw_affiliation_string":"SAP Security Research, Karlsruhe, Germany","institution_ids":[]}]},{"author_position":"middle","author":{"id":null,"display_name":"Lukas Pirch","orcid":"https://orcid.org/0000-0002-0666-5025"},"institutions":[{"id":"https://openalex.org/I4577782","display_name":"Technische Universit\u00e4t Berlin","ror":"https://ror.org/03v4gjf40","country_code":"DE","type":"education","lineage":["https://openalex.org/I4577782"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Lukas Pirch","raw_affiliation_strings":["Technische Universit\u00e4t Berlin, Berlin, Germany"],"raw_orcid":"https://orcid.org/0000-0002-0666-5025","affiliations":[{"raw_affiliation_string":"Technische Universit\u00e4t Berlin, Berlin, Germany","institution_ids":["https://openalex.org/I4577782"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Niklas Risse","orcid":"https://orcid.org/0009-0003-9185-780X"},"institutions":[{"id":"https://openalex.org/I4210096592","display_name":"Max Planck Institute for Security and Privacy","ror":"https://ror.org/00bj0r217","country_code":"DE","type":"facility","lineage":["https://openalex.org/I149899117","https://openalex.org/I4210096592"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Niklas Risse","raw_affiliation_strings":["Max Planck Institute, Bochum, Germany"],"raw_orcid":"https://orcid.org/0009-0003-9185-780X","affiliations":[{"raw_affiliation_string":"Max Planck Institute, Bochum, Germany","institution_ids":["https://openalex.org/I4210096592"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5066077721","display_name":"Konrad Rieck","orcid":"https://orcid.org/0000-0002-5054-8758"},"institutions":[{"id":"https://openalex.org/I4577782","display_name":"Technische Universit\u00e4t Berlin","ror":"https://ror.org/03v4gjf40","country_code":"DE","type":"education","lineage":["https://openalex.org/I4577782"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Konrad Rieck","raw_affiliation_strings":["Technische Universit\u00e4t Berlin, Berlin, Germany"],"raw_orcid":"https://orcid.org/0000-0002-5054-8758","affiliations":[{"raw_affiliation_string":"Technische Universit\u00e4t Berlin, Berlin, Germany","institution_ids":["https://openalex.org/I4577782"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":6,"corresponding_author_ids":["https://openalex.org/A5092446289"],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":4.0358,"has_fulltext":true,"cited_by_count":9,"citation_normalized_percentile":{"value":0.94625707,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":90,"max":99},"biblio":{"volume":null,"issue":null,"first_page":"149","last_page":"160"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.9986000061035156,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.9986000061035156,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12423","display_name":"Software Reliability and Analysis Research","score":0.9929999709129333,"subfield":{"id":"https://openalex.org/subfields/1712","display_name":"Software"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9925000071525574,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/spurious-relationship","display_name":"Spurious relationship","score":0.8674170970916748},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.7230839729309082},{"id":"https://openalex.org/keywords/vulnerability","display_name":"Vulnerability (computing)","score":0.5848566293716431},{"id":"https://openalex.org/keywords/machine-learning","display_name":"Machine learning","score":0.5733336210250854},{"id":"https://openalex.org/keywords/artificial-intelligence","display_name":"Artificial intelligence","score":0.45936909317970276},{"id":"https://openalex.org/keywords/confounding","display_name":"Confounding","score":0.4592873752117157},{"id":"https://openalex.org/keywords/obstacle","display_name":"Obstacle","score":0.44435474276542664},{"id":"https://openalex.org/keywords/profiling","display_name":"Profiling (computer programming)","score":0.4274280071258545},{"id":"https://openalex.org/keywords/root-cause","display_name":"Root cause","score":0.42726999521255493},{"id":"https://openalex.org/keywords/data-mining","display_name":"Data mining","score":0.3798432946205139},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.1805441975593567},{"id":"https://openalex.org/keywords/reliability-engineering","display_name":"Reliability engineering","score":0.14737558364868164},{"id":"https://openalex.org/keywords/engineering","display_name":"Engineering","score":0.1390356719493866},{"id":"https://openalex.org/keywords/statistics","display_name":"Statistics","score":0.136154443025589},{"id":"https://openalex.org/keywords/mathematics","display_name":"Mathematics","score":0.12342917919158936}],"concepts":[{"id":"https://openalex.org/C97256817","wikidata":"https://www.wikidata.org/wiki/Q1462316","display_name":"Spurious relationship","level":2,"score":0.8674170970916748},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7230839729309082},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.5848566293716431},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.5733336210250854},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.45936909317970276},{"id":"https://openalex.org/C77350462","wikidata":"https://www.wikidata.org/wiki/Q1125472","display_name":"Confounding","level":2,"score":0.4592873752117157},{"id":"https://openalex.org/C2776650193","wikidata":"https://www.wikidata.org/wiki/Q264661","display_name":"Obstacle","level":2,"score":0.44435474276542664},{"id":"https://openalex.org/C187191949","wikidata":"https://www.wikidata.org/wiki/Q1138496","display_name":"Profiling (computer programming)","level":2,"score":0.4274280071258545},{"id":"https://openalex.org/C84945661","wikidata":"https://www.wikidata.org/wiki/Q7366567","display_name":"Root cause","level":2,"score":0.42726999521255493},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.3798432946205139},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.1805441975593567},{"id":"https://openalex.org/C200601418","wikidata":"https://www.wikidata.org/wiki/Q2193887","display_name":"Reliability engineering","level":1,"score":0.14737558364868164},{"id":"https://openalex.org/C127413603","wikidata":"https://www.wikidata.org/wiki/Q11023","display_name":"Engineering","level":0,"score":0.1390356719493866},{"id":"https://openalex.org/C105795698","wikidata":"https://www.wikidata.org/wiki/Q12483","display_name":"Statistics","level":1,"score":0.136154443025589},{"id":"https://openalex.org/C33923547","wikidata":"https://www.wikidata.org/wiki/Q395","display_name":"Mathematics","level":0,"score":0.12342917919158936},{"id":"https://openalex.org/C17744445","wikidata":"https://www.wikidata.org/wiki/Q36442","display_name":"Political science","level":0,"score":0.0},{"id":"https://openalex.org/C199539241","wikidata":"https://www.wikidata.org/wiki/Q7748","display_name":"Law","level":1,"score":0.0},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3605764.3623915","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3605764.3623915","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3605764.3623915","source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 16th ACM Workshop on Artificial Intelligence and Security","raw_type":"proceedings-article"}],"best_oa_location":{"id":"doi:10.1145/3605764.3623915","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3605764.3623915","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3605764.3623915","source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 16th ACM Workshop on Artificial Intelligence and Security","raw_type":"proceedings-article"},"sustainable_development_goals":[{"display_name":"Responsible consumption and production","score":0.4399999976158142,"id":"https://metadata.un.org/sdg/12"}],"awards":[{"id":"https://openalex.org/G18682879","display_name":null,"funder_award_id":"390781972","funder_id":"https://openalex.org/F4320320879","funder_display_name":"Deutsche Forschungsgemeinschaft"},{"id":"https://openalex.org/G2207416379","display_name":null,"funder_award_id":"101043410","funder_id":"https://openalex.org/F4320334678","funder_display_name":"European Research Council"},{"id":"https://openalex.org/G3582019854","display_name":null,"funder_award_id":"16KIS1165K","funder_id":"https://openalex.org/F4320321114","funder_display_name":"Bundesministerium f\u00fcr Bildung und Forschung"},{"id":"https://openalex.org/G7910929434","display_name":null,"funder_award_id":"BIFOLD23B","funder_id":"https://openalex.org/F4320321114","funder_display_name":"Bundesministerium f\u00fcr Bildung und Forschung"}],"funders":[{"id":"https://openalex.org/F4320320879","display_name":"Deutsche Forschungsgemeinschaft","ror":"https://ror.org/018mejw64"},{"id":"https://openalex.org/F4320321114","display_name":"Bundesministerium f\u00fcr Bildung und Forschung","ror":"https://ror.org/04pz7b180"},{"id":"https://openalex.org/F4320334678","display_name":"European Research Council","ror":"https://ror.org/0472cxd90"}],"has_content":{"pdf":true,"grobid_xml":true},"content_urls":{"pdf":"https://content.openalex.org/works/W4388886678.pdf","grobid_xml":"https://content.openalex.org/works/W4388886678.grobid-xml"},"referenced_works_count":30,"referenced_works":["https://openalex.org/W1992114977","https://openalex.org/W2143891888","https://openalex.org/W2296283641","https://openalex.org/W2297419069","https://openalex.org/W2634106992","https://openalex.org/W2962858109","https://openalex.org/W3004658838","https://openalex.org/W3091588759","https://openalex.org/W3096425977","https://openalex.org/W3108032709","https://openalex.org/W3109966548","https://openalex.org/W3111602563","https://openalex.org/W3121707215","https://openalex.org/W3134763859","https://openalex.org/W3137781054","https://openalex.org/W3161071537","https://openalex.org/W3199249334","https://openalex.org/W3209597191","https://openalex.org/W4206706211","https://openalex.org/W4210772589","https://openalex.org/W4220722393","https://openalex.org/W4285069927","https://openalex.org/W4285490400","https://openalex.org/W4287673430","https://openalex.org/W4290877962","https://openalex.org/W4298884898","https://openalex.org/W4309023067","https://openalex.org/W4311165836","https://openalex.org/W4312436517","https://openalex.org/W4385412135"],"related_works":["https://openalex.org/W3113091479","https://openalex.org/W2162899405","https://openalex.org/W941090075","https://openalex.org/W2044987316","https://openalex.org/W3134374554","https://openalex.org/W2237480245","https://openalex.org/W2075065631","https://openalex.org/W2519167559","https://openalex.org/W2320350404","https://openalex.org/W1916774036"],"abstract_inverted_index":{"Several":[0],"learning-based":[1,20],"vulnerability":[2,31,137],"detection":[3,32],"methods":[4],"have":[5,24,39,44],"been":[6,41],"proposed":[7],"to":[8,43,55,73,83,92,113],"assist":[9],"developers":[10],"during":[11],"the":[12,48,70,94,115,124,129],"secure":[13],"software":[14],"development":[15],"life-cycle.":[16],"In":[17,58],"particular,":[18],"recent":[19],"large":[21],"transformer":[22],"networks":[23],"shown":[25,42],"remarkably":[26],"high":[27],"performance":[28,79],"in":[29,78,128],"various":[30],"and":[33,53,65,75,103],"localization":[34],"benchmarks.":[35],"However,":[36],"these":[37,97],"models":[38,102],"also":[40],"difficulties":[45],"accurately":[46],"locating":[47],"root":[49],"cause":[50],"of":[51,81,96,126],"flaws":[52],"generalizing":[54],"out-of-distribution":[56],"samples.":[57],"this":[59,63],"work,":[60],"we":[61],"investigate":[62],"problem":[64],"identify":[66],"spurious":[67,98],"correlations":[68,99],"as":[69,136],"main":[71],"obstacle":[72],"transferability":[74],"generalization,":[76],"resulting":[77],"losses":[80],"up":[82],"30%":[84],"for":[85,131],"current":[86],"models.":[87],"We":[88,109],"propose":[89],"a":[90],"method":[91],"measure":[93],"impact":[95],"on":[100],"learning":[101,133],"estimate":[104],"their":[105],"true,":[106],"unbiased":[107],"performance.":[108],"present":[110],"several":[111],"strategies":[112],"counteract":[114],"underlying":[116],"confounding":[117],"bias,":[118],"but":[119],"ultimately":[120],"our":[121],"work":[122],"highlights":[123],"limitations":[125],"evaluations":[127],"laboratory":[130],"complex":[132],"tasks":[134],"such":[135],"discovery.":[138]},"counts_by_year":[{"year":2026,"cited_by_count":2},{"year":2025,"cited_by_count":3},{"year":2024,"cited_by_count":3},{"year":2023,"cited_by_count":1}],"updated_date":"2026-03-27T05:58:40.876381","created_date":"2025-10-10T00:00:00"}